New name is disappointing. The company should at least be renamed to:

    \"><SCRIPT SRC=MJT.XSS.HT></SCRIPT> LTD

How about EICAR ANTIVIRUS TEST FILE? Or the DeCSS key?

hitting mjt.xss.ht returns this:

/* THIS SUBDOMAIN HAS BEEN BANNED FROM THE XSS HUNTER SERVICE.

WE DO NOT ALLOW ABUSE OF OUR SERVICE, ALL SECURITY TESTING MUST BE AUTHORIZED.

Please use our contact form if you believe this ban was a mistake: https://xsshunter.com/contact */

It previously returned an XSS test payload https://pbs.twimg.com/media/ElAYZTcX0AEyFUY?format=jpg&name=...

The character set used looks to be specifically authorized by law[1] so this doesn't appear to be unauthorized testing.

1. https://news.ycombinator.com/item?id=24921261

But not authorized by all the company register clone sites that would have triggered this. The service appears to be for testing your own site.

Will that even work without http:// or at least // in front of the domain name?

Tried it in chrome and sees it as a file name on the current domain.

Seems to have a bit. Cut and paste from the guy who set up \"><SCRIPT SRC=MJT.XSS.HT></SCRIPT> LTD

...

>I am in the process of contacting every website that has triggered my script which has a readily available contact for submitting security issues, or a hackerone account or similar. Alas, the sort of websites that have XSS problems rarely list IT security contacts.

I don't think so. The traditional, canonical regular expression[1] for parsing a URL is

  ^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?

See https://tools.ietf.org/html/rfc3986#appendix-B

The authority section (which contains the host domain) must begin with "//" whether there's a scheme prefix or not. Otherwise it's just part of the path (or query or fragment). IIRC, these semantics are also fixed by HTML such that any attribute like HREF or SRC is parsed as-if using the canonical regex (but after entity substitution and whitespace trimming). Browsers might have implemented this differently many years ago, but I doubt it as it would conflict with being able to use a bare path atom (e.g. foo.html).

[1] I normally eschew using regular expressions for proper parsing, but for URLs the canonical expression is both adequate and advisable for correctness.

It had HTTP originally, twitter just munged it.

You would think if you go to all the trouble to register a company name, you would at least use a domain you control